1. Field of Disclosure
The disclosure generally relates to the field of computer security, in particular to determining whether a computer file is malicious.
2. Description of the Related Art
A wide variety of malicious software (malware) can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Malicious entities sometimes attack servers that store sensitive or confidential data that can be used to the malicious entity's own advantage. Similarly, other computers, including home computers, must be constantly protected from malicious software that can be transmitted when a user communicates with others via electronic mail, when a user downloads new programs or program updates, and in many other situations. The different options and methods available to malicious entities for attack on a computer are numerous.
Conventional techniques for detecting malware, such as signature string scanning, are becoming less effective. Modern malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Such malware might never be encountered by security analysts, and thus the security software might never be configured with signatures for detecting such malware. Mass-distributed malware, in turn, can contain polymorphisms that make every instance of the malware unique. As a result, it is difficult to develop signature strings that reliably detect all instances of the malware.
Newer techniques for detecting malware involve the use of reputation systems. A reputation system can determine the reputation of a file encountered on a computer in order to assess the likelihood that the file is malware. One way to develop the reputation for a file is to collect reports from networked computers on which the file is found and base the reputation on information within the reports. A file's reputation can change over time as more reports are collected. There is a need for a way to efficiently provide the changing reputation scores to the networked computers and other entities that use the reputation scores to detect malware.